Command injection in Git package in Wrangler

Overview

Source
ID
GHSA-qrg7-hfx7-95c5
Aliases
CVE-2022-31249
GO-2023-1519
Affected package

Description

### Impact

A command injection vulnerability was discovered in Wrangler's Git package affecting versions up to and including `v1.0.0`.

Wrangler's Git package uses the underlying Git binary present in the host OS or container image to execute Git operations. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host.

### Workarounds

A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.

### Patches

Patched versions include `v1.0.1` and later and the backported tags - `v0.7.4-security1`, `v0.8.5-security1` and `v0.8.11`.

### For more information

If you have any questions or comments about this advisory:

* Reach out to [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries. * Open an issue in [Rancher](https://github.com/rancher/rancher/issues/new/choose) or [Wrangler](https://github.com/rancher/wrangler/issues/new) repository. * Verify our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).

Impact

Severity
Latest version of the CVSS score reported by the source of the advisory.
7.5 HIGH
Reference links
https://bugzilla.suse.com/show_bug.cgi?id=1200299
https://github.com/advisories/GHSA-qrg7-hfx7-95c5
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-qrg7-hfx7-95c5/GHSA-qrg7-hfx7-95c5.json
https://github.com/rancher/wrangler
https://github.com/rancher/wrangler/commit/12397eec50155cb2d24aa70bdf9e90c5f3b9a727
https://github.com/rancher/wrangler/commit/341018c8fef3e12867c7cb2649bd2cecac75f287
https://github.com/rancher/wrangler/commit/5a387e13e8d51e3340d9e5012a1951f0cca5fc90
https://github.com/rancher/wrangler/commit/8649ecc062204f28764fd80157a621cbae89c9cf
https://github.com/rancher/wrangler/compare/v0.7.2...v0.7.4-security1
https://github.com/rancher/wrangler/compare/v0.8.4...v0.8.5-security1
https://github.com/rancher/wrangler/security/advisories/GHSA-qrg7-hfx7-95c5
https://nvd.nist.gov/vuln/detail/CVE-2022-31249
https://pkg.go.dev/vuln/GO-2023-1519

Summary

339
Total packages affected
Packages with at least one version that is affected by the advisory or has an affected dependency.
56
Packages with a known fix
Packages with versions affected by the advisory that have a greater version that is not affected.
0.03%
Total ecosystem affected
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
github.com/rancher/wrangler
Affected Version: Introduced: 0, Fixed: 0.7.4-security1, Introduced: 0.8.0, Fixed: 0.8.5-security1, Introduced: 1.0.0, Fixed: 1.0.1, Introduced: 0.8.6, Fixed: 0.8.11
Patched/Unaffected
v0.7.5
v0.8.5
v0.8.6-0.20210819203859-0babd42fbad8
v0.8.11
v1.0.1
v1.0.2
v1.1.0
v1.1.1-0.20230131212012-76adc44fca0c
v1.1.1-0.20230410211151-406367dc3d74
v1.1.1-0.20230419173538-80fdf092be3b
v1.1.1-0.20230425173236-39a4707f0689
v1.1.1-0.20230818201331-3604a6be798d
v1.1.1-0.20230831050635-df1bd5aae9df
v1.1.1
v1.1.2
Affected
v1.0.1-0.20230208234005-a59a11cc3ef5
v1.0.1-0.20230112175341-ce552e665720
v1.0.1-0.20230110004444-57f14d386afb
v1.0.1-0.20221228020824-de4d86eabb7b
v1.0.1-0.20221202234327-1cafffeaa9a1
v1.0.1-0.20221128225625-672366f64635
v1.0.1-0.20220901190859-45a179631861
v1.0.1-0.20220623232707-cc833dd0d546
v1.0.1-0.20220520195731-8eeded9bae2a
v1.0.0
v0.8.11-0.20230207214913-209077f2d98f
v0.8.11-0.20220411195911-c2b951ab3480
v0.8.11-0.20220217210408-3ecd23dfea3b
v0.8.11-0.20220120160420-18c996a8e956
v0.8.11-0.20211214201934-f5aa5d9f2e81
v0.8.10
v0.8.9
v0.8.8
v0.8.7
v0.8.6
v0.8.5-0.20230123114839-8649ecc06220
v0.8.4
v0.8.4-0.20210729214659-5e75fca61cb2
v0.8.4-0.20210727180331-41409b4e8965
v0.8.4-0.20210721232424-82b1bc4f2de5
v0.8.3
v0.8.2
v0.8.1
v0.8.1-0.20210618171953-ab479ee75244
v0.8.1-0.20210616052237-57e55381d3ed
v0.8.1-0.20210521213200-39dd8bf93e9f
v0.8.1-0.20210506052526-673b7f8692d9
v0.8.1-0.20210429171250-3bef7a4bfeef
v0.8.1-0.20210424045532-c389a3e0ae51
v0.8.1-0.20210423003607-f71a90542852
v0.8.0
v0.7.3-0.20230123114828-12397eec5015
v0.7.3-0.20210407025123-cf9bb4f55cee
v0.7.3-0.20210406165340-a333c92020cf
v0.7.3-0.20210331224822-5bd357588083
v0.7.3-0.20210325230949-f096ad3a59c5
v0.7.3-0.20210224225730-5ed69efb6ab9
v0.7.3-0.20210219171705-1969c99916dd
v0.7.3-0.20210219161540-ef7fe9ce2443
v0.7.3-0.20201113175531-e43374b2929a
v0.7.3-0.20201028210318-d73835950c29
v0.7.3-0.20201023210123-9b7d265b90ec
v0.7.3-0.20201020003736-e86bc912dfac
v0.7.3-0.20201004050240-264809ad4ab9
v0.7.3-0.20201002224307-4303c423125a
v0.7.2
v0.7.1
v0.7.0
v0.6.2
v0.6.2-0.20200925234108-36dac45bb3fd
v0.6.2-0.20200922204249-68dfef44d080
v0.6.2-0.20200916052259-24781350894c
v0.6.2-0.20200915162151-29365defe4ed
v0.6.2-0.20200912225020-2e02d61f54bc
v0.6.2-0.20200909050541-7465f10bdac7
v0.6.2-0.20200829053106-7e1dd4260224
v0.6.2-0.20200828062337-113afceceb91
v0.6.2-0.20200828043115-6943c5e1c9c7
v0.6.2-0.20200827201958-9b574583587e
v0.6.2-0.20200822010948-6d667521af49
v0.6.2-0.20200820173016-2068de651106
v0.6.2-0.20200815035759-cd3dc18ad392
v0.6.2-0.20200811174245-58da209ac37b
v0.6.2-0.20200802063637-28dae3c1fc1b
v0.6.2-0.20200714200521-c61fae623942
v0.6.2-0.20200622171942-7224e49a2407
v0.6.2-0.20200515155908-1923f3f8ec3f
v0.6.2-0.20200427172034-da9b142ae061
v0.6.2-0.20200417063009-962aed6a55dc
v0.6.2-0.20200416052700-e88875e410e8
v0.6.1
v0.6.0
v0.5.4-0.20200604212251-fc9dde4243fc
v0.5.4-0.20200520040055-b8d49179cfc8
v0.5.4-0.20200417162130-9817cb5fdf6b
v0.5.4-0.20200326191509-4054411d9736
v0.5.3
v0.5.2
v0.5.1
v0.5.1-0.20200312201919-371ff2551072
v0.5.1-0.20200311053157-692040bfd728
v0.5.1-0.20200302190048-e60d4be8fc9b
v0.5.0
v0.4.2-0.20200225192203-e5307acd8846
v0.4.2-0.20200215064225-8abf292acf7b
v0.4.2-0.20200214231136-099089b8a398
v0.4.1
v0.4.1-0.20200111044800-215c44d6d835
v0.4.0
v0.3.1
v0.3.0
v0.2.1-0.20191205190617-661f00f286d2
v0.2.1-0.20191109002915-2a833f7e410d
v0.2.1-0.20191104064538-22e063a2a843
v0.2.1-0.20191025041946-1fd360590735
v0.2.1-0.20191022173830-fea752b72607
v0.2.1-0.20191021174615-d8c92d2665fe
v0.2.1-0.20191015042916-f2a6ecca4f20
v0.2.0
v0.1.7-0.20190905161106-749be31cca6c
v0.1.7-0.20190824203417-e7b6ecb74e90
v0.1.6
v0.1.6-0.20190822171720-e78d8316ee95
v0.1.6-0.20190816172853-95ab7af39785
v0.1.5
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.1.0
v0.0.0-20190516181950-a7cf48fa83ef
v0.0.0-20190512193419-40fa298578b9
v0.0.0-20190509213517-cd48b2f2b218
v0.0.0-20190507213151-11fc1ecb7bdb
v0.0.0-20190426050201-5946f0eaed19
v0.0.0-20190422234134-250d666698a3
v0.0.0-20190329182315-1e7b870cf096